Fixed bug #14402: XSS in Install tool (thanks to Benjamin Mack)
authorOliver Hader <oliver.hader@typo3.org>
Thu, 16 Dec 2010 13:37:18 +0000 (13:37 +0000)
committerOliver Hader <oliver.hader@typo3.org>
Thu, 16 Dec 2010 13:37:18 +0000 (13:37 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/branches/TYPO3_4-4@9770 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
typo3/sysext/install/mod/class.tx_install.php
typo3/sysext/install/updates/class.tx_coreupdates_compatversion.php

index 33386cd..aac1e95 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2010-12-16  Oliver Hader  <oliver@typo3.org>
+
+       * Fixed bug #14402: XSS in Install tool (thanks to Benjamin Mack)
+
 2010-12-07  Christian Kuhn  <lolli@schwarzbu.ch>
 
        * Fixed bug #16696: [Caching framework] unit tests: Fatal error in t3lib_cache_backend_dbbackendTest due to call to undefined method
index e0d11a7..693b082 100755 (executable)
@@ -912,8 +912,8 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv('REMOTE_ADDR')."' (".t3lib_div::getIndp
                                        There is no connection to the database!
                                </strong>
                                <br />
-                               (Username: <em>' . TYPO3_db_username . '</em>,
-                               Host: <em>' . TYPO3_db_host . '</em>,
+                               (Username: <em>' . htmlspecialchars(TYPO3_db_username) . '</em>,
+                               Host: <em>' . htmlspecialchars(TYPO3_db_host) . '</em>,
                                Using Password: YES)
                                <br />
                                Go to Step 1 and enter a valid username and password!
@@ -922,7 +922,7 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv('REMOTE_ADDR')."' (".t3lib_div::getIndp
                $error_missingDB = '
                        <p class="typo3-message message-error">
                                <strong>
-                                       There is no access to the database (<em>' . TYPO3_db . '</em>)!
+                                       There is no access to the database (<em>' . htmlspecialchars(TYPO3_db) . '</em>)!
                                </strong>
                                <br />
                                Go to Step 2 and select a valid database!
@@ -998,11 +998,11 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv('REMOTE_ADDR')."' (".t3lib_div::getIndp
                                                'encryptionKey' => $this->createEncryptionKey(),
                                                'branch' => TYPO3_branch,
                                                'labelUsername' => 'Username',
-                                               'username' => TYPO3_db_username,
+                                               'username' => htmlspecialchars(TYPO3_db_username),
                                                'labelPassword' => 'Password',
-                                               'password' => TYPO3_db_password,
+                                               'password' => htmlspecialchars(TYPO3_db_password),
                                                'labelHost' => 'Host',
-                                               'host' => TYPO3_db_host ? TYPO3_db_host : 'localhost',
+                                               'host' => TYPO3_db_host ? htmlspecialchars(TYPO3_db_host) : 'localhost',
                                                'continue' => 'Continue',
                                                'llDescription' => 'If you have not already created a username and password to access the database, please do so now. This can be done using tools provided by your host.'
                                        );
@@ -1149,11 +1149,11 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv('REMOTE_ADDR')."' (".t3lib_div::getIndp
                                                        $step4SubPartMarkers = array(
                                                                'llSummary' => 'Database summary:',
                                                                'llUsername' => 'Username:',
-                                                               'username' => TYPO3_db_username,
+                                                               'username' => htmlspecialchars(TYPO3_db_username),
                                                                'llHost' => 'Host:',
-                                                               'host' => TYPO3_db_host,
+                                                               'host' => htmlspecialchars(TYPO3_db_host),
                                                                'llDatabase' => 'Database:',
-                                                               'database' => TYPO3_db,
+                                                               'database' => htmlspecialchars(TYPO3_db),
                                                                'llNumberTables' => 'Number of tables:',
                                                                'numberTables' => count($whichTables),
                                                                'action' => htmlspecialchars($this->action),
@@ -3126,9 +3126,9 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv('REMOTE_ADDR')."' (".t3lib_div::getIndp
                                        <p>
                                                You may need to enter data for these values:
                                                <br />
-                                               Username: <strong>' . TYPO3_db_username . '</strong>
+                                               Username: <strong>' . htmlspecialchars(TYPO3_db_username) . '</strong>
                                                <br />
-                                               Host: <strong>' . TYPO3_db_host . '</strong>
+                                               Host: <strong>' . htmlspecialchars(TYPO3_db_host) . '</strong>
                                                <br />
                                                <br />
                                                Use the form below.
@@ -3142,13 +3142,13 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv('REMOTE_ADDR')."' (".t3lib_div::getIndp
                                                        Username:
                                                </dt>
                                                <dd>
-                                                       ' . TYPO3_db_username . '
+                                                       ' . htmlspecialchars(TYPO3_db_username) . '
                                                </dd>
                                                <dt>
                                                        Host:
                                                </dt>
                                                <dd>
-                                                       ' . TYPO3_db_host . '
+                                                       ' . htmlspecialchars(TYPO3_db_host) . '
                                                </dd>
                                        </dl>
                                ', -1, 1);
@@ -3165,7 +3165,7 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv('REMOTE_ADDR')."' (".t3lib_div::getIndp
                                } elseif (!$GLOBALS['TYPO3_DB']->sql_select_db(TYPO3_db))  {
                                        $this->message($ext, 'Database', '
                                                <p>
-                                                       \''.TYPO3_db.'\' could not be selected as database!
+                                                       \'' . htmlspecialchars(TYPO3_db) . '\' could not be selected as database!
                                                        <br />
                                                        Please select another one or create a new database.
                                                </p>
@@ -3174,7 +3174,7 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv('REMOTE_ADDR')."' (".t3lib_div::getIndp
                                } else  {
                                        $this->message($ext, 'Database', '
                                                <p>
-                                                       <strong>' . TYPO3_db . '</strong> is selected as
+                                                       <strong>' . htmlspecialchars(TYPO3_db) . '</strong> is selected as
                                                        database.
                                                </p>
                                        ', 1, 1);
@@ -3193,9 +3193,9 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv('REMOTE_ADDR')."' (".t3lib_div::getIndp
                                        <p>
                                                Connecting to SQL database failed with these settings:
                                                <br />
-                                               Username: <strong>' . TYPO3_db_username . '</strong>
+                                               Username: <strong>' . htmlspecialchars(TYPO3_db_username) . '</strong>
                                                <br />
-                                               Host: <strong>' . TYPO3_db_host . '</strong>
+                                               Host: <strong>' . htmlspecialchars(TYPO3_db_host) . '</strong>
                                        </p>
                                        <p>
                                                Make sure you\'re using the correct set of data.
@@ -4397,25 +4397,25 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv('REMOTE_ADDR')."' (".t3lib_div::getIndp
                                        ImageMagick enabled:
                                </dt>
                                <dd>
-                                       ' . $GLOBALS['TYPO3_CONF_VARS']['GFX']['im'] . '
+                                       ' . htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['GFX']['im']) . '
                                </dd>
                                <dt>
                                        ImageMagick path:
                                </dt>
                                <dd>
-                                       ' . $im_path . ' <span>(' . $im_path_version . ')</span>
+                                       ' . htmlspecialchars($im_path) . ' <span>(' . htmlspecialchars($im_path_version) . ')</span>
                                </dd>
                                <dt>
                                        ImageMagick path/LZW:
                                </dt>
                                <dd>
-                                       ' . $im_path_lzw . ' <span>(' . $im_path_lzw_version . ')</span>
+                                       ' . htmlspecialchars($im_path_lzw) . ' <span>(' . htmlspecialchars($im_path_lzw_version) . ')</span>
                                </dd>
                                <dt>
                                        Version 5/GraphicsMagick flag:
                                </dt>
                                <dd>
-                                       ' . ($GLOBALS['TYPO3_CONF_VARS']['GFX']['im_version_5'] ? $GLOBALS['TYPO3_CONF_VARS']['GFX']['im_version_5'] : '&nbsp;') . '
+                                       ' . ($GLOBALS['TYPO3_CONF_VARS']['GFX']['im_version_5'] ? htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['GFX']['im_version_5']) : '&nbsp;') . '
                                </dd>
                        </dl>
                        <dl id="t3-install-imageprocessingother">
@@ -4423,33 +4423,33 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv('REMOTE_ADDR')."' (".t3lib_div::getIndp
                                        GDLib enabled:
                                </dt>
                                <dd>
-                                       ' . ($GLOBALS['TYPO3_CONF_VARS']['GFX']['gdlib'] ? $GLOBALS['TYPO3_CONF_VARS']['GFX']['gdlib'] : '&nbsp;') . '
+                                       ' . ($GLOBALS['TYPO3_CONF_VARS']['GFX']['gdlib'] ? htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['GFX']['gdlib']) : '&nbsp;') . '
                                </dd>
                                <dt>
                                        GDLib using PNG:
                                </dt>
                                <dd>
-                                       ' . ($GLOBALS['TYPO3_CONF_VARS']['GFX']['gdlib_png'] ? $GLOBALS['TYPO3_CONF_VARS']['GFX']['gdlib_png'] : '&nbsp;') . '
+                                       ' . ($GLOBALS['TYPO3_CONF_VARS']['GFX']['gdlib_png'] ? htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['GFX']['gdlib_png']) : '&nbsp;') . '
                                </dd>
                                <dt>
                                        IM5 effects enabled:
                                </dt>
                                <dd>
-                                       ' . $GLOBALS['TYPO3_CONF_VARS']['GFX']['im_v5effects'] . '
+                                       ' . htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['GFX']['im_v5effects']) . '
                                        <span>(Blurring/Sharpening with IM 5+)</span>
                                </dd>
                                <dt>
                                        Freetype DPI:
                                </dt>
                                <dd>
-                                       ' . $GLOBALS['TYPO3_CONF_VARS']['GFX']['TTFdpi'] . '
+                                       ' . htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['GFX']['TTFdpi']) . '
                                        <span>(Should be 96 for Freetype 2)</span>
                                </dd>
                                <dt>
                                        Mask invert:
                                </dt>
                                <dd>
-                                       ' . $GLOBALS['TYPO3_CONF_VARS']['GFX']['im_imvMaskState'] . '
+                                       ' . htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['GFX']['im_imvMaskState']) . '
                                        <span>(Should be set for some IM versions approx. 5.4+)</span>
                                </dd>
                        </dl>
@@ -4458,7 +4458,7 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv('REMOTE_ADDR')."' (".t3lib_div::getIndp
                                        File Formats:
                                </dt>
                                <dd>
-                                       ' . $GLOBALS['TYPO3_CONF_VARS']['GFX']['imagefile_ext'] . '
+                                       ' . htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['GFX']['imagefile_ext']) . '
                                </dd>
                        </dl>
                ';
@@ -4481,8 +4481,8 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv('REMOTE_ADDR')."' (".t3lib_div::getIndp
                        $msg .= '
                                <p>
                                        Warning: Mismatch between the version of ImageMagick' .
-                                       ' (' . $im_path_version.') and the configuration of ' .
-                                       '[GFX][im_version_5] (' . $GLOBALS['TYPO3_CONF_VARS']['GFX']['im_version_5'] . ')
+                                       ' (' . htmlspecialchars($im_path_version) . ') and the configuration of ' .
+                                       '[GFX][im_version_5] (' . htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['GFX']['im_version_5']) . ')
                                </p>
                        ';
                        $etype=2;
@@ -5416,20 +5416,20 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv('REMOTE_ADDR')."' (".t3lib_div::getIndp
                                        Username:
                                </dt>
                                <dd>
-                                       ' . TYPO3_db_username . '
+                                       ' . htmlspecialchars(TYPO3_db_username) . '
                                </dd>
                                <dt>
                                        Host:
                                </dt>
                                <dd>
-                                       ' . TYPO3_db_host . '
+                                       ' . htmlspecialchars(TYPO3_db_host) . '
                                </dd>
                        </dl>
                ', -1, 1);
 
                $this->message($headCode, 'Database', '
                        <p>
-                               <strong>' . TYPO3_db . '</strong> is selected as database.
+                               <strong>' . htmlspecialchars(TYPO3_db) . '</strong> is selected as database.
                                <br />
                                Has <strong>' . count($whichTables) . '</strong> tables.
                        </p>
index 250625c..705c722 100644 (file)
@@ -98,7 +98,7 @@ class tx_coreupdates_compatversion {
                                <p>
                                        Your current TYPO3 installation is configured to
                                        <strong>behave like version
-                                       ' . $TYPO3_CONF_VARS['SYS']['compat_version'] . '
+                                       ' . htmlspecialchars($TYPO3_CONF_VARS['SYS']['compat_version']) . '
                                        </strong> of TYPO3. If you just upgraded from this version,
                                        you most likely want to <strong>use new features</strong> as
                                        well.
@@ -153,7 +153,7 @@ class tx_coreupdates_compatversion {
                } else {
                        $content = '
                                <p>
-                                       TYPO3 output is currently compatible to version ' . $TYPO3_CONF_VARS['SYS']['compat_version'] . '.
+                                       TYPO3 output is currently compatible to version ' . htmlspecialchars($TYPO3_CONF_VARS['SYS']['compat_version']) . '.
                                        To use all the new features in the current TYPO3 version,
                                        make sure you follow the guidelines below to upgrade without
                                        problems.